Escolar Documentos
Profissional Documentos
Cultura Documentos
0)
Recommended Operation........................................................................................................................................1
New Features in this Release ..................................................................................................................................3
Upgrading to this Release........................................................................................................................................3
Known Issues/Limitations Fixed in this Release .................................................................................................4
All Secure Access Platforms........................................................................Error! Bookmark not defined.
SA 1000 through SA 6000 Items ....................................................................................................................8
Known Issues and Limitations .............................................................................................................................10
All Secure Access Platforms.........................................................................................................................10
SA 1000 through SA 6000 Items ..................................................................................................................34
Supported Platforms ..............................................................................................................................................52
• When using WSAM on Pocket PC, if you have multiple roles defined, please select the option for “Merge
settings for all assigned roles” in Administrators > Admin Realms > [Realm] > Role Mapping.
• Do not delete the main cluster licensing node. Doing so will delete the whole cluster. (27972)
Binary Import/Export
• Client Log settings for Host Checker and Cache Cleaner are not getting exported and imported
correctly. If client log setting is enabled for Host Checker and Cache Cleaner, the setting is lost
when system configuration is exported and imported later. (38449)
• In this release, binary import with the option “Import everything except IP” correctly preserves
IP address, netmask and default gateway for the internal/external/management ports (ie, it does
not result in these values being overwritten by values in the imported configuration). However,
the following inconsistencies can arise :
o VIPs associated with the internal/external/management ports get overwritten by
imported values. The administrator needs to manually reconfigure the VIPs following
the binary import.
o Static routes in the route tables associated with the internal/external/management ports
are overwritten by the imported values. The administrator needs to manually
reconfigure the static routes within the internal/external/management route tables.
(40618)
AAA
• For a delegated admin, the Read and Write permission to manage a user role's Telnet/SSH feature
is tied to SAM permissions. The admin will not be able to manage Telnet/SSH sessions if
permission to manage SAM is Read or Deny. The reverse is not true (SAM permissions are not
dependent on those of Telnet/SSH). (43123)
• When duplicating a role that has been assigned to a resource profile, the new duplicate role may
lose its association with the resource profile. (42211)
• When using the Pocket PC (Win Mobile 5.0) to authenticate to an SA device using loginname and
password, if there is a client certificate restriction set at the realm level, a "Page not found" error
will be displayed after the certificate selection. If user tries to log in again, then the authentication
will succeed. Currently there is no workaround. However, if a client certificate is used for
authentication, then the authentication will go through the first time without the error. (43567)
Hostchecker
• The Cache Cleaner option "Disable AutoComplete for Web addresses" does not work in IE7 on
Windows Vista. (45362)
• When Hostchecker periodic update results in a loss of a subset of all roles associated with the
session, the remediation page may not be displayed correctly. Users should log out and log back
in to resolve the issue. (46914)
• Users with restricted access cannot install Host Checker when Juniper installer service is installed
(44920).
Installer Service
• The Installer Service correctly shows in the services manager as “JuniperSetupService”. (35134)
Linux Client
Clicking the SignOut button on the Network Connect client or the OK button on the session
timeout message box properly closes the Network Connect client. (41012)
Network Connect client exits properly after Session Timeout happens. (46513)
Windows Client
• If a split tunnel is enabled and the configured IVE server IP address is not in the split tunnel
subnet, after NC tunnel connects, NC diagnostics skip connection test to the NC server. This
is because the configured IVE server IP is not routed through the split tunnel network, thus,
NC diagnostics are not able to ping the server IP when the NC tunnel is established. (28485,
39228)
• With Vista strong host model enabled and when Network Connect client connects to the IVE,
the current local area network traffic is routed through Network Connect tunnel if “split
tunnel disabled” is configured. (45695)
GINA
• When connecting to the IVE using GINA/HC with authenticated proxy, the user is no longer
asked to enter credentials twice, once for Network Connect GINA and once for Host Checker.
From this release onwards, user will only be asked to enter credential once. (34656)
• In this release, if the computer is not a domain computer, Network Connect GINA will not be
installed because GINA is only necessary for a domain computer. (35566)
• If a 3rd party GINA is installed after Network Connect GINA, Network Connect can not be
uninstalled until user uninstalls the 3rd party GINA. A clean command is added to NC
uninstall script to force un-installation of Network Connect under this situation. In this case,
the 3rd party GINA will no longer function. (44102)
• This is already documented in admin guide. When user login via Juniper GINA to an IVE,
if there is a matching version of Network Connect client present in user's PC, Juniper GINA
establishes Network Connect connection to IVE using the appropriate version of Network
Connect client. If there is no matching version of Network Connect client present, Juniper
GINA will not be able to setup a Network Connect connection to IVE. Prior to release 5.4,
Juniper GINA displays a version mismatch warning message and allows user to login to
Windows desktop using the cached credentials. Release 5.4 Juniper GINA has a added
feature that after user is logged in to Windows desktop with the cached credentials, a
standalone Network Connect client is automatically launched which user can use to login to
IVE and the appropriate version of Network Connect client will be automatically
downloaded and launched. (44327)
Terminal Services
• The Installer Service has problems installing the Windows Terminal Services client on
Windows XP if the Windows Terminal Services session has SSO defined. (40975)
• Duplicating a Citrix Terminal Services session in a role or a Citrix Terminal Services resource
profile will not work if it has a custom ICA file defined. (40803).
• Launching a Windows Terminal Services session on user login will not work if WSAM or NC
are also configured to automatically launch at user login. (39581)
• Launching a Windows Terminal Services session on user login will not work if multiple
Windows Terminal Services sessions are configured to auto-launch. (30693)
• Restricted users on a Windows machine that are using a Firefox browser may have trouble
launching Juniper Windows Terminal Services. To workaround this issue, install a
production SSL certificate on the IVE. (43817)
• Windows Terminal Services session does not work without SSO parameters configured if the
RDP client is upgraded to version 6.0 through Microsoft update KB925876 (44388).
• The title of the Windows Terminal Services window on Windows Vista in the full screen
mode will show a loopback IP address instead of the host name or IP address of the target
server. This issue will be resolved in IVE release 6.0 (44674).
• On Vista, when “Skip web-proxy registry check” is disabled and user configures proxy on
browser, the warning message “A web proxy has been configured” is masked by “You do not
have permissions to modify the hosts file” message. (44626)
• Restricted users on a Windows machine that are using a Firefox browser may have trouble
launching JSAM. To workaround this issue, install a production SSL certificate on the IVE.
(43820)
Rewriter/Web Applications
• If there is a difference between the time on the SA and the end user machine then the session
timeout reminder popup will be off by a value equal to the time difference. This is true if the
only access mechanism enabled on the SA is the rewriter or file browsing. (41260)
• In the detailed rules for SSO Form POST and the SSO Cookie/Headers resource policies, if the
configured POST values or header values are re-sorted then all the configured values are
erased. (43896)
• NTLM, Basic Auth, and Form POST SSO will not work with application servers that expect
File Browsing
• Windows network discovery is not disabled by default in a newly created IVS. It may be
disabled if the file browsing feature is not used for the IVS. (43152)
• NFS file browsing does not work if user authenticates with Active Directory or System Local
auth servers. (44157)
• For DFS file sharing on Windows 2003 Server and Windows 2003 R2 Server, if the domain
root is a hidden share (name contains an ending $) and has links to shared folders on same or
different domains, file operations do not work. (42557)
• For DFS file sharing on Windows 2003 Server and Windows 2003 R2 Server, if the domain
root is a hidden share and has links to hidden root shares on same or different domains, file
operations do not work. (42557)
• For DFS file sharing, file operations do not work on a root share that refers to another root
share in the same or different domain. (42557)
• For DFS file sharing on Windows 2003 Server and Windows 2003 R2 Server, if the domain
root has links to hidden root shares on same or different domains, file operations do not
work. (42557)
Pocket PC
• WSAM UI strings are not localized. (38166)
• W-SAM menu strings are not visible if the Pocket PC device’s tool bar has extremely dark
color. This problem was observed on the Orange M5000 device. (40544)
• W-SAM on PPC doesn’t support persistent session. If persistent session is enabled, after W-
SAM launches, it redirects browser to the initial log-in IVE page instead of IVE home page.
(42870)
• On certain devices, such as the Cingular 8125, the user is asked to reboot the device when
launching W-SAM on a different IVE even though this IVE has same release version as the
installed W-SAM. (42870)
Internationalization Issues
• W-SAM is only supported in English on the Pocket PC. (27221, 32183, 38166)
• If the “Management Port” option is selected on the Troubleshooting > Commands page in the
System Services
• The hardware SSL accelerator card on SA5000 is disabled in the 6.0R1 release. (45158)
• The new ICE license limits are not applicable to SA5000 machines. (48356)
• License upgrade may not work if the original licenses are installed in 3.x releases. (46110)
• When Custom Cipher Selection is used, the selected ciphers are enforced to the SSL connections
from clients. SA will always present “High” ciphers to backend servers when making SSL
connections. (47718)
• The "RC4-64-MD5" cipher is no longer supported in "LOW" setting. (48967)
• The current SSL-VPN configuration import functionality does not track any platform specific
functionality like SSL Acceleration cards etc. Hence if an Admin were to import the
configuration from an IVE platform (SA3000) into an SA6000, SSL crypto acceleration would be
disabled as the SA3000 does not have the crypto functionality (38433)
• There are known problems where the data storage on the IVE subsystem could lose data updates
if the system time on the IVE is rolled backwards. This is an unlikely situation. A fix for this
problem has gone into Release 5.2, however if upgrading to Release 5.1 and older versions,
customers could experience data loss under mentioned conditions. As a symptom, customers
have reported issues in missing IVS licensing information. (32598)
Administration Tools
• If a serial console troubleshooting tool (such as ping) becomes unresponsive, press CTRL+C to
terminate the tool and return to the menu.
• VLAN tags do not show up in the TCPDUMP troubleshooting tool due to hardware acceleration.
(28400)
Connectivity
• FIN packets may leak from internal port to external port. However, there are no security
ramifications for this activity. (25095)
SNMP
• Snmpwalk does not report NC tunnel interfaces due to performance overhead related with
retrieving the corresponding OIDs. This behavior is different from previous releases, where all
network interfaces were reported by snmpwalk.
• The iveRebootTrap is not sent if the IVE is rebooted via the serial console. However, an event of
severity “Major” is logged in the Event Log. Additionally, if the “Major Log Trap” checkbox is
selected on the Log/Monitoring > SNMP page, a major log trap is generated for this event. (41829)
• SNMP MIB walk or the entire IVE MIB is expected to be CPU intensive. The recommendation is
to configure the external SNMP monitoring application to bypass the tcpTable in the TCP MIB
when walking the IVE MIB.(44894)
• XML Import/Export and Push Configuration of Resource Profiles data are not supported.
Therefore, any resource policies or bookmarks created from within a resource profile will not be
exported or imported in an XML Import/Export operation.
• XML Import/Export is not supported when uploading applets. The IVE generates an error
message during import. The workaround is to remove the applet bookmarks from the XML file
(32173):
1. Export the System configuration under Maintenance > Import/Export > Configuration page.
2. Import the exported file back into the IVE under the Maintenance > Import/Export >
Configuration page. Select the “Import everything except network settings and licenses”
option.
• XML Import/Export for Basic Auth and NTLM auth resource policies is not supported. (31383)
• XML Import/Export is not supported for the following sections in Terminal Services Options Role
page: "Options", "Allow users to enable local resource defined below" and "Allow users to modify
Display settings below". (34685, 49737)
• XML Import/Export is not supported for the following options in a "Citrix using default ICA"
Terminal Services Session Type: "Session Reliability and Auto-client reconnect" and "Port to be
enabled". (49737)
• When an XML Import or Binary Import operation is performed on a cluster node, it can take up
to 5-8 minutes for the operation to complete, including the time to synchronize this configuration
across all the nodes in the cluster. There is no progress bar or other UI indication of the progress
during this interval. The same issue is seen when a Push Config operation is applied to a target
cluster. (40621, 25888)
• If an XML file containing Secure Meeting settings is to be imported into an IVE device via the
XML Import operation, or if an IVE device is the target for a Selective Push Config operation
• The field "VLAN" under a user role > General >Vlan/SourceIP is not supported by XML
Import/Export. (35096)
• XML Import/Export is not supported for the new MySecureMeeting options. (45325)
• XML Import/Export is not supported for Meeting Types section under a Meeting role. (49708)
• When XML Export is performed on a user role that has NC enabled, the following role settings are not
exported : “Enable TOS bits copy” and “Multicast” (49730)
• XML Import/Export is not supported for "Rewrite links in PDF files" in the Web Options Role page.
(49749)
Archiving
• FTP archiving does not work when the absolute path to the FTP server is specified in the Archive
Server field under “Archive Settings” in Maintenance > Archiving. However, it does work if the
relative path to the FTP server is specified. Note: this is not an issue for SCP archiving. (43423)
• Even though NC packet logging has been removed, a dummy “NC packet logging” section still
exists in the IVE Archiving admin UI page. This section can be expanded and granular settings
can be configured within this section by the administrator. However the IVE silently ignores
these settings. (48803)
• Archiving will not clear sensors and client side uploaded logs if the options to do so are selected.
(48763)
• The Admin UI will show the following checkboxes unchecked, though they are configured, when
Admin logs in with Read-Only right: Archive events log, Archive user access log, Archive admin
access log, Archive NC packet log, Archive Sensors log, and Archive client-side log uploads. This
is just a UI presentation issue and not affecting actual archiving functionality. (42548)
AAA
• Users are forced to change their passwords when XML-exported System Local user accounts are
imported back into the SSLVPN device. This happens only if password management is in force, and if
passwords were originally configured to be expired after the lapse of a specified number of days. The
work-around is to avoid XML export/import of user accounts and use binary export/import instead.
(47476)
• On restart, sometimes the massage "ntjoinserver: no prcess killed" maybe seen on the console. This is a
harmless message and can be ignored. (49111).
• The upload of custom sign-in pages may some times fail. This happens rarely and randomly.
Workaround is to try again, preferably with debug log enabled. (46936).
• When using WSAM in conjunction with SiteMinder authentication, the client will experience an
idle timeout even though the client is actively accessing the IVE. This timeout happens according
to the idle timeout value configured in the policy server (41624).
• The IVE currently does not support load balancing during ACE authentication. It has no option
to upload the sdopts.rec file which is internally used for load balancing by the ACE client. (37656)
• The maximum number of combined bookmarks a role can have is ~500. If a role has more than 500
Password Management
• Password Management must be enabled at the realm level if the Admin wishes to enable
password expirations or require a user to change a password at the next log-on.
• When a user’s password is expired, and Password Management is NOT enabled for that user’s
realm, the error message displayed to the end-user shows “account disabled”, although this
account may not truly be disabled. This will be addressed in a future release. (21654)
• When using Sun One/iPlanet as an Authentication server and enforcing both “password
expiration in X days” and “allow password change after Y days”, if the user’s password is reset
(or changed) then the user’s profile will have a new password expiration date. However, if the
password expiration timeframe is changed (for example from 10 days to 20 days), then the user’s
profile will still show the old password expiration time. This is a limitation of Sun One/iPlanet to
which we adhere.
• AD Domain Controllers synchronize security policy settings every 5 minutes. If a change is made
to the security policy, for example “minimum password length”, it could take up to 5 minutes
before that change propagates to all Domain Controllers. This also applies to the Domain
Controller on which the change was originally performed. For more information, please refer to:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserve
r2003/proddocs/standard/lpe_overview.asp.
• For a list of which Password Management functions are supported for the various platforms, and
for a list of attributes, please see the Administration Guide or online Help.
Internationalization Issues
• When importing a custom HTML Help file for end-users, if the file is encoded in a different
language, for example, Shift_JIS, it must be converted to UTF-8 before it is imported by the IVE
administrator. (10839)
• The following URL contains a list of characters which are not supported for filenames or folders
on Samba Servers: http://support.biglobe.ne.jp/help/faq/charactor/izonmoji.html. (14529 and
14348)
• With localized Pocket PCs, such as the Japanese Pocket PC, the locale is not sent in the HTTP
header, and thus the IVE is unable to detect which language to return, so English is returned by
default. (22041)
• Internet Explorer may truncate Japanese filenames if they are too long. Additionally, some Excel
files cannot be saved. More details can be found about this non-IVE issue at:
http://support.microsoft.com/?kbid=816868. (14496)
• The timestamp function of the IVE may not be in the same format as what is expected when
All OS platforms
• In the event that a “standalone installer” of Network Connect or WSAM is provisioned to the
client, a machine that has the browser restricted such that no additional trusted publishers can be
added, the ActiveX control or Java Applet required to launch the application will not be
registered, and the application will not launch and will fail with no error. (46718)
Macintosh Client
• When a Network Connect tunnel is established on a Mac OS X computer, Network Connect
might encounter failures when PING packets with sizes greater than 8000 bytes are sent. This is a
limitation of the underlying Mac OS X platform. (24809)
• Occasionally, Safari may not respect the new proxy settings introduced by Network Connect
immediately after Network Connect is started. Restarting Safari will cause Safari to begin using
the new proxy settings. (27090)
• Network Connect fails to reconnect when a VIP fail-over occurs in an Active/Passive cluster
environment if the client is on the same subnet with both nodes of the cluster. (27388)
• Sometimes, click Sign Out from browser user may see a message “session terminated due to
duration restrictions”. (47829)
• Client side proxy is not supported MAC OS X 10.2 (47885, 47960)
• Authenticated proxy sometimes is not supported on MAC OS earlier than 10.3.9 (49009)
Linux Client
Users should not remove the /etc/resolv.conf file while NC is running as it causes the client to
terminate. (31037)
In some situations, when authenticated proxy is used with Network Connect, the proxy takes
precedence over the Network Connect route, causing an HTTP resource behind the IVE to be
unreachable. (34481, 33938)
Due to a Firefox issue on Linux, CPU usage goes up significantly when the NC client is getting
downloaded and installed. (34949)
Shortcut keys for localized menu items are not correct. (35672)
Sometimes a Network Connect tunnel fails to setup when launched from a command line.
(38735)
Auto-uninstall on sign-out is not working. (41010)
When an existing Network Connect is running, launching a new Network Connect causes the
previous network connect tunnel to be disconnected and a new network connect tunnel be
established. (47060).
Network Connect client doesn’t have reconnect functionality in Linux. (47211)
Windows Client
• If a Restricted user has Network Connect installed on their system, Network Connect can only be
uninstalled if a user with Admin privileges attempts to run the uninstaller, or the Installer Service
is installed and the restricted user uninstalls from the uninstall link under Preferences in the
user’s IVE homepage. (22200)
• The supported scenarios for Network Connect are valid only when the client PC does not switch
NICs during the Network Connect session. Any scenario involving switching NICs might work,
but is not guaranteed. The recommended behavior for the customer for switching NICs would be
GINA
• The Network Connect client needs to be installed prior to Windows logon for the GINA launch to
occur. We strongly recommend that you do not enable auto-uninstall of Network Connect on
sign out for roles where GINA is enabled. (29937)
• To login to the IVE using NC GINA, the user has to use the same IVE IP address / hostname as
used by the browser. For example, if IVE has external IP and internal IP addresses, and the client
is able to reach the IVE via either of the two IP addresses. If the user uses the IVE’s external IP
address to login using browser, when using NC GINA the user must use the IVE’s external IP
address. If the user uses the IVE’s internal IP address, the NC tunnel can not be established.
(34534)
• GINA/HC: Advanced Endpoint Defense: Integrated Malware Protection detection works only in
user context mode and in certain situations as described in the documentation. (34806)
• When GINA starts with Host Checker enabled, and Cache Cleaner is running, log entries appear
in the User Access Logs. (35223)
• GINA doesn’t support certificate authentication. (36093, 34534)
• If the IVE is not responsive, the GINA login progress screen may freeze for up to 30 seconds.
NC Command Launcher
• If a user is using Microsoft Internet Explorer 6.0 Service Pack 1 and a proxy is configured, the
user is not able to launch a New Secure Gateway window from the Network Connect icon menu.
This is due to IE 6.0 SP1 problem: http://support.microsoft.com/?kbid=329802 (38869)
• The Network Connect launcher doesn’t support Host Checker and Cache Cleaner in this release.
(38876)
• In Vista, if “Check for server certificate revocation” is selected, nclauncher is not able to launch
Network Connect. (48814)
Installer Service
• If Encrypted File System is enabled on current user’s temp directory, Install Service fails to install.
(36569)
Rewriter/Web Applications
• In IVE versions 5.4 and greater, the rewriter behavior was modified for the "Unchanged" caching
policy. In versions prior to 5.4, for the "Unchanged" caching policy, the IVE would strip out
Cache-Control:no-cache and pragma:no-cache headers in the response header. In versions 5.4 and
later, the caching headers are not modified and sent as is. One implication of this change is for the
Citrix published application through Web Interface. In some cases the Web Interface server may
send a Cache-Control:no-cache in the response header for an ICA file. In 5.4, with a caching
policy of "Unchanged", this caching header will not be removed and therefore the ICA file will
not be downloaded to the PC. To fix this issue, change the caching policy to Smart Caching.
(48861)
• If a web page is sending a POST request to an SSL-enabled webserver that does not have a valid
SSL certificate and the IVE is configured to display a warning for invalid server certs then the
POST request will not succeed. To workaround this issue, purchase a valid SSL certificate for the
webserver or disabled the invalid server certificate warning for end-users. (46806)
• When downloading a document through a link in the webpage, if the filename exceeds 155
characters then the filename in the Save As dialog is "default".(45746)
• External PTP links that are embedded in a PTP page may not work. For example, if bar.company.com
page contains a link to foo.company.com and foo.company.com is configured as a host-mode PTP
application then the link to foo.company.com will fail. To workaround the issue, port-mode PTP
should be used for PTP links embedded in other PTP applications. (49403)
• To use OWA 2007 with Pass Through Proxy, the admin must configure a Selective Rewriting
policy for resource "*:*/owa/ev.owa?*" and action set to "Don't rewrite content: Do not redirect to
target web server". (46344)
• If PTP is configured in hostmode and the virtual hostname is different from the IVE hostname
and if a persistent cookie is enabled under Roles > Session Options then the following option
File Browsing
• When downloading a file in IE whose filename is longer than 155 characters, the filename is
truncated to 155 characters. (49218)
• If the time it takes to upload a file through the file browsing functionality exceeds the idle
timeout then the file upload operation will fail. (49224)
• If a user enters an invalid folder name when updating a windows file bookmark then the edit
bookmark page cannot be accessed again. (48051)
• Multiple file download is not supported on Windows Mobile devices. (47026)
• When uploading filenames with Japanese characters on a Mac OS X, the file upload status
window displays a garbled filename. (47953)
• When downloading a Japanese file on a Windows Mobile 5.0 device, the filename is corrupted.
This is due to a problem on WM 5.0. (47021)
• With the clientless file browsing feature, when downloading a file that has a .tar.gz extension, the
filename will contain square brackets. (45715)
• On Mac OS 9.2/Netscape 4.79, when uploading a file that contains a space in its name, the IVE
will replace the space with a % character. (19945)
• When a file with Japanese characters in the filename is opened right after the download, the
filename looks corrupted. This is due to the IE browser not honoring the content-disposition
header when the file is opened directly. (32266)
• NFS Auto-mount is not supported on Linux NIS/NFS servers, only on Sun servers. (2005)
• For NFS file browsing to work properly, you must configure an NIS server on the IVE before
enabling NFS file browsing. (14594)
• When opening a file in the Japanese locale the URL displayed in the Internet Explorer title bar
and the URL bar is garbled. The file when viewed is displayed incorrectly. This is due to a bug in
Internet Explorer. (19612)
• When using the multiple file download feature in Windows File Browsing, the downloaded zip
file will not preserve the names of the files if the file name contains non-English characters
(38304).
• Due to a bug in Microsoft Network discovery API NetServerEnum2 IVE will not be able to
extract the workgroup information if the master browse server is in a different subnet (43172).
Pocket PC
• Windows SAM options under Users > User Roles > Select Role > SAM > Options are not
supported on Pocket PC. (45956)
• WSAM doesn’t support client auth proxy settings in PAC files thru Firefox. (47769)
• When using WSAM on the Treo, please disable the manual proxy on the device (46081)
FIPS
• If you replace an administrator card using option 10 in the serial console after upgrading a Secure
Access Series FIPS appliance, the Security World is modified to use the new administrator card. If
you then try to perform a “rollback,” the new administrator card does not work. This is because
the “rollback” reverts to the original Security World, which is not yet configured to use the new
administrator card. To activate the new administrator card, you must use option 10 on the serial
console once again.
• Secure Access Series FIPS does not support automatic time synchronization across cluster nodes.
We suggest that you configure your cluster nodes to use the same NTP server to ensure they are
synchronized. If the cluster nodes are not synchronized, time-based features (such as Secure
Meeting) do not function properly.
• If the HSM module switch is set to I on a FIPS-enabled Secure Access appliance, the machine is in
“initialize” mode. Rebooting the appliance during this time reinitializes the server key and
MSP (IVS/VLAN)
• NC address assignment within an IVS via a centralized DHCP server (configured to serve
multiple IVS’s) does not work if the IVS name contains certain special characters. The following
special characters -, _, (, ), ., <, >, [, ], {, }, @ and : are supported. The administrator is advised to
avoid using any other special characters in the IVS name. (33793)
• While doing an upgrade on an SA700 (which does not have an IVS license), the text "Importing
ivs data” is displayed on the serial console. (35596)
• If a binary system configuration is imported with "include network settings" selected to an IVE
with IVSs and VLANs, then existing VLANs will be replaced. This may leave an IVS with no
Selected VLANs in its profile. To work around this issue, the IVS root admin must go into each
individual IVS and reconfigure the "Selected VLANs" and mark the appropriate VLAN in each
IVS as default. In addition, they need to go into each Role within each IVS and click on "Save
changes" to ensure that the default VLAN configured for the IVS is correctly reflected in the
Role's VLAN/Source IP settings. (41085)
• When an IVS configuration is initialized by copying the configuration from the root system or
another IVS (copy source), if the copy source has a realm called “Users” and a role called “Users”,
where the “Users” realm is the system-created default realm whereas the “Users” role is an
admin created role, the copy operation will result in the “Users” role getting copied over to the
target IVS, but not the “Users” realm. To work around this issue, the administrator can manually
create a “Users” realm in the target IVS and configure it with appropriate role-mapping rule.
(49136).
• When an IVS license is added to an IVE that already has the VLAN license installed, the expected
behavior is that all existing roles should get unbound from VLANs and access to backend
resources via VLANs should fail after addition of IVE license. The actual behavior is that the
admin UI presents the roles as being disassociated from their former VLANs, but user access to
backend resources continues to work over VLAN interfaces. It takes an IVE reboot for backend
access to fail as expected. (48240)
• In an NC/ IVS/VLAN deployment, if an NC client is mapped to a role that is associated with a
VLAN interface, Gratuitous ARPs for the NC client’s IP address are not sent over the
corresponding VLAN interfaces. In A/P clusters, the absence of the VLAN G-ARP following a
failover can result in loss of connectivity between NC clients and backend servers for several
minutes, since the next-hop router connected to the IVE backend has stale ARP entries for the
corresponding NC IP pool addresses pointing to the formerly active node. To work around this
issue,, the administrator can clear the router’s ARP cache as soon as an IVE failover occurs.
(45983, 49487)
• After an IVS has been deleted via the admin UI, internal cleanup operations to purge the IVS
from the system can take up to 3 minutes. During this interval, attempts to create another IVS
with the same name will be unsuccessful, producing the error message ‘Failed to save changes.
• When using JSAM within SODA 2.6 (SODA build prior to 2237), the etc/hosts file does not get
restored to its original state when JSAM is exited. The etc/hosts file does get restored with SODA
2.5 and with SODA 2.6 builds 2237 and greater. (37486)
• Outlook 2003 and Outlook 2007 are not supported with J-SAM. To work around this issue, use
W-SAM or Network Connect. (8251)
• Netscape may lock up on users who close J-SAM. To work around this problem, users can add
the following line to their “java.policy” file:
grant { permission java.security.AllPermission; };
• J-SAM does not automatically launch when Embedded Applications are set to “Auto” in the
Citrix Web Interface. To workaround this issue, configure J-SAM to launch automatically when
user accesses the Citrix Web Interface login page.
• When using W-SAM and J-SAM, if a user has a pop-up blocker, that user may experience
problems waiting for SAM to fully load. A pop-up window alerting the customer to accept the
SAM plug-in may be waiting in the background behind the Internet browser.
• The application discovery functionality within Citrix Program Neighborhood is supported once
port 80 is configured under J-SAM. However, if a user attempts to use the server discovery
feature, which does not work through the IVE, and then attempts to use the application discovery
again, the application discovery fails. The workaround is to restart Citrix Program
Neighborhood. (8665)
Mac OS Specific J-SAM Items
• On Mac OS X 10.2.X, if the framed toolbar is configured then the JSAM autolaunch policy feature
is not supported. (46594)
• When auto-launching J-SAM using Safari (versions prior to 1.2), J-SAM opens a new browser
window to display the home page instead of updating the original window that launched J-SAM.
This results in two open browser windows. This is due to a limitation in these versions of Safari.
(21747)
• On a Mac OS X, the first time J-SAM is launched after rebooting the machine, the launch may fail.
This is due to Apple's JVM code behavior. (Apple Bug #3860749) (21746)
• When running J-SAM on a Mac OS X client, if the user clicks “No” on the SSL certificate warning,
the user must quit and restart the browser in order to launch J-SAM successfully.
Hardware
• On the SA6000, avoid hot-plugging RAID drive connect-disconnect-connect sequences that are
faster than 5 minutes. Doing so causes the system to accept the drive as healthy even if the drive
has missed updates. (31583)
• RAID status lights do not work as expected when the bay is empty after upgrading. Rebooting
the device resolves the issue. (37176)
• After an upgrade, occasionally an SA6000 system could see inconsistent LED behavior where the
RAID Status LED blinks in RED and the Hard Disk LED is not lit. This incorrect LED behavior is
cosmetic and does not reflect the actual state of the system. It is caused by the fact that the
system didn’t initialize itself properly during soft reset. A cold restart will fix this problem.
(35150)
• If an SA6000 goes from a two-drive configuration to a single-drive configuration (due to drive
failure and/or removal) and is rebooted, the machine halts during boot and displays a serial
console message similar to the following:
The user should hit Enter to continue using the machine with a degraded array until a replacement
drive can be obtained.
Secure Meeting
• When using the Java client to launch a Secure Meeting, if the user clicks No on the certificate
warning presented by the JVM, the meeting client does not launch, but it appears to the user as
though the applet is still loading. (22712)
• On the Appointment tab in the Microsoft Outlook Calendar is a checkbox called, "This is an
online meeting using…" This checkbox is not related to the Meeting Server or the Secure Meeting
for Outlook Plug-in. This field cannot be used by a third-party plug-in. (21327)
• When installing the Secure Meeting plug-in on Microsoft Outlook 2000, a message appears
warning that “the form you are installing may contain macros.” Users may safely click either
“Disable Macros” or “Enable Macros” since the Secure Meeting form does not contain macros.
(21408)
• The end-user must use the same Outlook profile to un-install the Secure Meeting Plug-In for
Outlook as the one used to install the Plug-In. Switching profiles between the installation and un-
installation of the Plug-In is not supported. (22655)
• On the Macintosh and Linux platforms, even if the viewers are set to full screen mode, the toolbar
is still visible. (19506)
• We recommend that you do not upgrade the Meeting while Secure Meeting is running on
Macintosh or Linux machines. If an upgrade is performed during a Secure Meeting, Macintosh
and Linux users might not be able to launch the client for a new meeting. This is due to Safari and
Mozilla browser behavior related to caching Java applets. The user must close and restart the
browser to fix the problem. (22273)
• When scheduling a meeting from Microsoft Outlook 2000 using the Secure Meeting Plug-in, the
user must click "Delete Meeting from Server" on the Secure Meeting form to delete the meeting.
The Delete button on the Outlook form does not delete the meeting from the meeting server. This
is due to Microsoft Outlook behavior. (21336)
• When the user launches Secure Meeting, a Security Warning is displayed regarding the SSL
negotiation between the client and the IVE. The user must respond to the warning within 15
seconds for the meeting client to launch successfully. (22711)
• Safari 1.0 has a bug wherein it does not fully support proxy configurations. As a result, if there is
a proxy configured, the meeting client cannot be launched from this browser. We are working
with Apple on this issue. (17550)
• When using two IVEs in a Secure Meeting cluster, users should always connect to the VIP
address to join the Secure Meeting--not the IP address of the physical machine. (17294)
• Red Hat Linux 9 with Mozilla Firefox 1.6 and SunJVM 1.4 has a problem with NTLM
authentication when using ISA proxy server to download the Secure Meeting .jar file. This causes
the Secure Meeting client to download incorrectly. (17445)
• When using Mac OS X 10.3.3 and Safari 1.0, if the user clicks “No” on the certificate pop-up, the
Secure Meeting client does not install. If the user wishes to try again, they must open a new Safari
browser window. (17331)
• The Secure Meeting Chat functionality only supports users using the same language encoding
(based on the Web browser settings) in a single meeting. Using a different encoding than what
the person typing is using, results in mangled text. Meeting invitations are sent based on the
SiteMinder
• Implemented in release 5.3, the IVE Admin can configure the SiteMinder auth server to be
compatible with the 5.5 or 6.0 SiteMinder Policy Server. The “compatible with 5.5 Policy Servers
mode” works with either the 5.5 or the 6.0 Policy Server. However, the “compatible with 6.0
Policy Servers mode” only works with the 6.0 Policy Server. There is no difference in the
SiteMinder auth server functionality based on whichever compatibility mode the IVE Admin
configures. This option only controls which version of the Netegrity SDK to use when interacting
with Policy Server. The recommendation is to match the compatibility mode with the version of
PolicyServer.
• The IVE, from release 4.2 onwards, is compatible with 5.x and later SiteMinder agents. Older
versions of SiteMinder agents are susceptible to a cookie validation failure problem. (29840)
• When using SiteMinder as an Authentication server for the IVE, users must access the IVE using
a fully-qualified domain name (for example, ive.company.com). This is required because the
SiteMinder SMSESSION cookie is only sent for the domain it was configured for. If users access
the IVE using an IP address, they might get an authentication failure and will be prompted to
authenticate again.
End-User Interface
• Welcome messages and portal name are displayed even if the greeting is disabled. (22728)
• If HTML tags are used in the notification message then the collapse/expand feature is not
available. (22264)
Clustering
• Cluster upgrades from IVE software version 4.0p1 to version 5.3 do not complete successfully. An
intermediate step is required for the upgrade process to succeed. The recommended process for the
administrator is: first perform an upgrade from 4.0p1 to 5.0, and then perform an upgrade from 5.0 to
5.3. (35695)
• The IVE does not support a common IP address pool for NC for an Active/Active cluster. In A/A NC
deployments, the recommendation to the administrator is to split up the NC IP pool into node-
specific sub-pools. Further, the administrator is advised to perform static route configuration on the
backend router infrastructure in a coordinated fashion, with static routes to each sub-pool pointing to
the internal IP address of the hosting cluster node as the next-hop gateway. (32829)
• When the cluster is reforming, cluster operations may yield unpredictable results. (18572)
• When the node cannot join the cluster, it will disable itself. The administrator must intervene and
restart the reform process. (25694)
• When setting up the device, the serial console cluster add feature is not functioning. (39755)
• VIPs may still be responding to ARP after a cluster is deleted. Restarting services will resolve the
issue. (38781)
• When log synchronization is not turned on, the nodes that do not have a log archiving server
configured will not archive the logs. (26182)
• After a certificate is de-associated with an interface, it must be deleted before the new certificate will
be present on the interface. (42351)
Terminal Services
• Accessing Citrix published applications through the rewriter will not work if the caching policy
for ICA files is set to Unchanged. As a workaround, change the caching policy for *.ica to Smart
Caching. (49537)
• When using the JICA fallback feature that is configured through a Terminal Services resource
profile, the parameters configured in the HTML text are sent to the JICA applet. Values
configured in the other fields of the bookmark are ignored. (47933)
• In releases prior to 6.0, the "Connect local XXX resources" options defined under Roles >
Terminal Services > Options had two functions: first it determined if this option was visible in
an end-user bookmark; second it determined whether the local resource would be available for
all users of this role. Therefore this role-level option overrode a similar option in the admin
Supported Platforms
Please see the “Supported Platforms” document posted on the Juniper Networks Support Site
(http://www.juniper.net/support/) under “IVE OS” for a current list of supported platforms (operating
system/browser combinations). Note that some platforms do not completely conform to HTTP standards,
so we have tested IVE functionality with the most common operating system/browser configurations
used for the specific functionality. The “Supported Platforms” document summarizes the functionality
tested, our testing model, and the supported platforms for the Neoteris IVE.
To open a case or to obtain support information, please visit the Juniper Networks
Support Site: http://www.junipernet/support.